IN THE CLAIMS : 

No claims are amended herein. All pending claims are produced below. 



1 . (Previously Presented) A computer-implemented method for determining 
whether computer code contains malicious code, said method comprising the steps of: 

identifying computer code suspected of currently containing malicious code; 
optimizing the identified computer code to produce optimized code; 
subjecting the optimized code to a malicious code detection protocol; and 
responsive to the malicious code detection protocol detecting malicious code 

in the optimized code, declaring a confirmation that the computer code 

contains malicious code. 

2. (Original) The method of claim 1 wherein the malicious code detection 
protocol is a protocol fi-om the group of protocols consisting of pattern matching, emulation, 
checksumming, heuristics, tracing, X-raying, and algorithmic scanning. 

3. (Original) The method of claim 1 wherein the optimizing step comprises 
performing at least one technique fi-om the group of techniques consisting of constant 
folding, copy propagation, non-obvious dead code elimination, code motion, peephole 
optimization, abstract interpretation, instruction specialization, and control flow graph 
reduction. 

4. (Original) The method of claim 3 wherein at least two of said techniques are 
combined synergistically. 

5. (Original) The method of claim 1 wherein the computer code is polymorphic 
code comprising a decryption loop and a body; and 
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the optimizing step comprises optimizing just the decryption loop. 

6. (Previously Presented) A computer-implemented method for determining 
whether computer code contains mahcious code, said method comprising the steps of: 

identifying computer code suspected of currently containing malicious code, 
the computer code having a decryption loop and a body; 

optimizing the decryption loop to produce optimized loop code; 

performing a malicious code detection procedure on the optimized loop code; 

optimizing the body to produce optimized body code; 

subjecting the optimized body code to a malicious code detection protocol; 
and 

responsive to the malicious code detection procedure detecting malicious code 
in the optimized loop code or the malicious code detection protocol 
detecting malicious code in the optimized body code, declaring a 
confirmation that the computer code contains malicious code. 

7. (Original) The method of claim 6 wherein the malicious code detection 
procedure is a procedure from the group of procedures consisting of pattern matching, 
emulation, checksumming, heuristics, fracing, and algorithmic scanning. 

8. (Original) The method of claim 6 wherein the malicious code detection 
protocol is a protocol from the group of protocols consisting of pattern matching, emulation, 
checksumming, heuristics, tracing, X-raying, and algorithmic scanning. 

9. (Original) The method of claim 6 wherein the step of optimizing the body 
comprises using at least one output from the group of steps consisting of optimizing the 
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decryption loop and performing a malicious code detection procedure on the optimized loop 
code. 

10. (Original) The method of claim 6 wherein, when the step of performing a 
malicious code detection procedure on the optimized loop code indicates the presence of 
malicious code in the computer code, the steps of optimizing the body and subjecting the 
optimized body code to a malicious code detection protocol are aborted. 

1 1 . (Original) The method of claim 6 further comprising the additional step of, 
after the step of performing a malicious code detection procedure on the optimized loop 
code, revealing an encrypted body. 

12. (Original) The method of claim 1 1 wherein the step of revealing an 
encrypted body comprises emulating the optimized loop code. 

13. (Original) The method of claim 1 1 wherein the step of revealing an encrypted 
body comprises applying a key gleaned from the optimized loop code. 

14. (Previously Presented) The method of claim 1, wherein optimizing the 
computer code to produce optimized code comprises: 

performing a forward pass operation; 
performing a backward pass operation; 
performing a control flow graph reduction; and 
iterating the above three steps a plurality of times. 

15. (Original) The method of claim 14 wherein the iteration of the three steps 
stops after either: 

a preselected number of iterations; or 
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observing that no optimizations of the computer code were performed in the 
most recent iteration. 

16. (Original) The method of claim 14 further comprising the step of performing 
a code motion procedure, wherein the four steps are iterated a pliirality of times. 

17. (Previously Presented) The method of claim 14 wherein the forward pass 
operation comprises one or more steps from the set consisting of: 

peephole optimization; 
constant folding; 
copy propagation; 

forward computations related to abstract interpretation; and 
instruction specialization. 

18. (Previously Presented) The method of claim 14 wherein the backward pass 
operation comprises one or more steps from the set consisting of backward computations 
related to abstract interpretation and local dead code elimination. 

19. (Original) The method of claim 1 8 wherein the backward pass operation 
comprises the additional step of global dead code elimination. 

20-23. (Canceled) 

24. (Previously Presented) A computer- readable storage medium containing 
executable computer program instructions for determining whether computer code contains 
malicious code, said computer program instructions performing the steps of: 

identifying computer code suspected of currently containing malicious code; 

optimizing the identified computer code to produce optimized code; 

subjecting the optimized code to a malicious code detection protocol; and 
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responsive to the malicious code detection protocol detecting malicious code 
in the optimized code, declaring a confirmation that the computer code 
contains malicious code. 

25. (Original) The computer-readable medium of claim 24 wherein the malicious 
code detection protocol is a protocol from the group of protocols consisting of pattern 
matching, emulation, checksumming, heuristics, tracing, X-raying, and algorithmic scanning. 

26. (Original) The computer-readable medium of claim 24 wherein the 
optimizing step comprises performing at least one technique from the group of techniques 
consisting of constant folding, copy propagation, non-obvious dead code elimination, code 
motion, peephole optimization, absfract interpretation, instruction specialization, and control 
flow graph reduction. 

27. (Original) A method for determining whether computer code contains 
malicious code, said method comprising the steps of: 

performing a dead code elimination procedure on the computer code; 
noting the amount of dead code eliminated during the dead code elimination 
procedure; and 

when the amount of dead code eliminated during the dead code elimination 
procedure exceeds a preselected dead code threshold, declaring a 
suspicion of malicious code in the computer code. 
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